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Abstract. P S Sn is a fast forward permutation if for each m 
the computational complexity of evaluating P m (x) is small inde- 
pendently of to and x. Naor and Rcingold constructed fast forward 
pseudorandom cycluses and involutions. By studying the evolution 
of permutation graphs, we prove that the number of queries needed 
to distinguish a random cyclus from a random permutation in Sn 
is Q(N) if one does not use queries of the form P m (x), but is only 
0(1) if one is allowed to make such queries. 

We construct fast forward permutations which are indistinguish- 
able from random permutations even when queries of the form 
P m (x) are allowed. This is done by introducing an efficient method 
to sample the cycle structure of a random permutation, which in 
turn solves an open problem of Naor and Rcingold. 



0. Introduction and Motivation 

According to Naor and Reingold [1], a permutation a e Sn is a fast 
forward permutation if for each integer m, and each x — 0, . . . , N — 1, 
the computational complexity of evaluating o~ m (x) is small and inde- 
pendent of m and x. An important example for such a permutation is 
the successor permutation s defined by 

s(x) = x + 1 mod N, 

as for each m and x, s m (x) = x + m mod N. Observe that s is a cyclus, 
that is, its cycle structure consists of a single cycle of length N. 

Throughout this paper, the term random is taken with respect to the 
uniform distribution. In [1], Naor and Reingold consider the following 
problem 1 : Assume that we have a fast forward permutation o G S^v- 
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^For the sake of clarity, we will concentrate in the beginning in the (purely) 
random case, and leave the pseudorandom case for Part 3. 
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Assume further we have an oracle 2 V which fixes a random permutation 
P G Sn, and for each x can compute P(x) and P _1 (x) in time which 
is polynomial in logiV. We wish to use this oracle in order to define a 
random permutation Q such that: 

(1) Q is a random element of the space of all permutations which 
have the same cycle structure as a. 

(2) Q is a fast forward permutation. 

The solution to this problem is as follows [1]: Define Q = PaP^ 1 . 
Then for each integer m we have that 

Q m (x) = P(a m (p-\x))), 

so Q is a fast forward permutation. Moreover, Q has the same cycle 
structure as a, and it is not difficult to see that it distributes uniformly 
among the permutations which have the same cycle structure as a. 

Therefore Naor and Reingold's construction using o = s yields a fast 
forward random cyclus. The natural question which arises is whether 
this construction gives a pseudorandom permutation. Here by pseudo- 
random permutation we mean that the resulting permutation is difficult 
to distinguish from a truly random permutation using a limited number 
(under some reasonable definition of "limited") of calls to the oracle. 
In Section 4 of [1] it is conjectured that distinguishing a random cyclus 
in Sn from a random permutation should require roughly \/N evalu- 
ations. In the forthcoming Section 1 we prove that in the restricted 
model where only queries of the form P(x) or P^ 1 (x) are allowed (this 
is the usual model), the task of distinguishing a random cyclus from a 
random permutation requires roughly N (not \/~N) evaluations. 

However, if one wants to allow the usage of the fast forward prop- 
erty in the mentioned construction then the resulting permutation is 
far from being pseudorandom: In Section 2 we show that a single eval- 
uation is enough to distinguish a random cyclus from a random permu- 
tation in the fast forward model (where evaluations of the form P m (x) 
are allowed). Therefore, the question of construction of a fast forward 
pseudorandom permutation is far from having a satisfactory solution. 
It turns out that a solution of this problem can be obtained by solving 
another open problem. 

After introducing their construction, Naor and Reingold ask whether 
it is possible to remove the restriction on the cycle structure of the fast 

2 An oracle is an algorithm initialized by a fixed unknown initial state, which 
works as a "black box" by accepting queries of some specific form, and making 
responses accordingly. (The initial state of the algorithm may change as it runs.) 
The user of such an algorithm can only know the queries and the responses to them. 
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forward permutation, that is, whether one can use the oracle V in order 
to define a random permutation Q such that: 

(1) Q is a random element in the space Sn of all permutations. 

(2) Q is a fast forward permutation. 

We give an affirmative solution which is based on an efficient method to 
sample the cycle structure of a random permutation, together with an 
introduction of a fast forward permutation for any given cycle structure. 
This construction yields a fast forward random permutation which is 
indistinguishable from a random permutation even in the fast forward 
model. 

Part 1. Indistinguishability and distinguishability 

This part deals with the evolution of permutation graphs and its 
application to the indistinguishability of random cycluses from random 
permutations, and with the distinguishability of random cycles from 
random permutations when fast forward queries are allowed. 

1. The indistinguishability of random cycluses from 
random permutations 

In this section we prove that the number of evaluations of the form 
P(x) or P~ 1 (x) needed in order to distinguish a random cyclus in Sn 
from a random permutation in Sn is Q(N). 

Our proof is best stated in the language of graphs. We first set up 
the basic notation and facts. As these are fairly natural, the reader 
may wish to skip directly to Lemma 1.1, and return to the definitions 
only if an ambiguity occurs. 

Throughout this section, V — {0, . . . , N — 1} and G (with or without 
an index) will denote a finite directed graph with V as its set of vertices. 

Fix a natural number N. The graph of a (partial) function / from 
(a subset of) N to iV is the directed graph with set of vertices V and 
with an edge from x to y if, and only if, f(x) = y (for all x,y G V). For 
convenience we also require that for all x,y E V there exists at most 
one edge from x to y, and will write x — > y when there exists an edge 
from x to y. The graph of a (partial) function will be called a (partial) 
function graph. Observe that there is a natural bijective correspon- 
dence between (partial) functions and their graph. A particular case 
of (partial) function graphs is the (partial) permutation graph, where 
we require that the (partial) function of the graph is injective. 

Let $ denote the "forgetful" functor assigning to each directed graph 
G the corresponding undirected graph $(G) (each edge from x to y is 
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replaced by an undirected edge between x and y.) A set C of vertices 
in G is a component if it is a connected component in the undirected 
graph (isolated vertices are also components). A component C 

is connected if for each x,y G C there exists a path from a; to y in G. 

If G is a partial function graph then each connected component of 
G is a cyc/e. A permutation graph G of a cyclus will be called a cyclus 
graph. Thus a cyclus graph has a single connected component, and has 
the form 

%0 x l ' " " X N-1 x 0- 

G is a partial cyclus graph if it can be extended to a cyclus graph. A 
partial cyclus graph is proper if it is not a cyclus graph. 

The following sequence of observations will play a key role in our 
proof. We will give proofs only where it seems necessary. 

Lemma 1.1. Let G be a directed graph. The following are equivalent: 

(1) G is a proper partial cyclus graph. 

(2) G is a partial permutation graph with no cycles. 

(3) Each component of G is well-ordered by — >. 

Thus if G is a proper partial cyclus graph then each component C 
of G contains a unique minimal element minC and a unique maximal 
element maxC. 

Lemma 1.2. Assume that G is a partial cyclus graph with m compo- 
nents. Then there exist exactly (m — 1)! cyclus graphs extending G. 

Proof. Let C , . . . , C m -i be the components of G. 

Fix any cyclus a G S m . For each i = 0, ... ,m — 1, add an edge 
from max (7^(0) to min (7^+1(0) to obtain a cyclus graph G° ' . We claim 
that for distinct cycluses a, r G S m , the graphs G a and G T are distinct. 
Indeed, let i G {0, . . . , m — 1} be the minimal such that o- t+1 (0) ^ 
r m (0) (observe that <t°(0) = = r°(0).) Then in G a there is an edge 
from maxC CT i( ) to min C^+i/q), whereas in G T there is not. Thus each 
cyclus in S m defines a unique cyclus graph extending G. 

On the other hand, each cyclus graph extending G defines a unique 
well-ordering on G by removing the edge pointing to min Co, and this 
well-ordering defines, in turn, a unique cyclus a G S m by letting <t* +1 (0) 
be the unique k such that there is an edge from maxC o . l ( ) to minCfc. 

It remains to recall that there exist exactly (m — 1)! cycluses in 

Sm- □ 

Let comp(G) and cyc(G) denote the collection of components and 
cycles in G, respectively. The following lemma describes the basic steps 
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in the evolution of partial permutation graphs. We use l±l to denote 
disjoint union. 

Lemma 1.3. Assume that G is a partial permutation graph, and let 
G be the new graph obtained by adding a new edge to G. Then G is 
a partial permutation graph if, and only if, there exist (not necessarily 
distinct) connected components Co and C\ in G such that the new edge 
is from max C to min C\ . Moreover, 

(1) If Co andC\ are the same component then comp(G) = comp(G) ; 
and cyc(G) = cyc(G) t±J {Co}. (In particular, |comp(G)| = 

| comp(G)| ; and | cyc(G)| = | cyc(C)| + 1.) 

(2) IfC andC\ are distinct then cyc(G) = cyc(G) ; and comp(G) = 
(comp(G) \ {C , CJ) t±J {C U CJ. (In particular, | cyc(G)| = 
| cyc(G) | , and | comp(G) | = | comp(G) | — 1 .) 

For the following definition, recall our convention that throughout 
this paper, the term random is taken with respect to the uniform dis- 
tribution. 

Definition 1.4. Define the following oracles: 

C: Chooses a random cyclus P G Sn, accepts queries of the form 
(x,i) G {0, . . . , N — 1} x {1,-1} and responds with y = P l (x) 
for each such query. 
(9 2 : Begins with the empty graph G on V = {0, . . . , N — 1}, accepts 
queries of the form (x, i) G V x {1, —1}, and constructs a partial 
cyclus graph on V as follows. In the kth. query (xk,ik), the 
oracle responds as follows: 

(1) If the query was made earlier and answered with y, or a 
query of the form (y, —i^) was made earlier and answered 
with Xk, then the oracle responds with y^ = y. 

(2) Otherwise, the oracle responds as follows (let C Xk denote 
the component of £&): 

(a) If i = 1 then it chooses a random C G comp(Gfc) \ 
{C Xk }, sets yk = minC, adds the edge x^ — > y^ to 
Gfc to obtain a new graph G^+i, and responds with 
yk- 

(b) If i = —1 (this is the dual case) then it chooses a 
random C G comp(Gfe) \ {C Xk }, sets yt = maxC, 
adds the edge yk — > xt to Gt to obtain a new graph 
Gfc+i, and responds with yk. 

A sequence ((xo, io), yo, . . . (xk,ik),yk) is C-consistent if the equations 
P l: >{xj) = yj have a solution P G Sn which is a cyclus. It is nonre- 
peating if there exists no < j < I < k such that (xi,ii) = (xj,ij), 
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or (xi,ii) = (yj,—ij)- Thus a nonrepeating sequence is a sequence 
where Case 1 of 2 is never activated, that is, a sequence in which 
each query answer gives new information on the permutation (or its 
graph). Observe that any consistent sequence can be turned into a 
shorter nonrepeating sequence which induces the same partial cyclus 
graph. 

Lemma 1.5. For each nonrepeating C-consistent sequence 
s = ((x , i ),y , ■ ■ ■ (xk-i, ifc-i), Vk-i), 

Pr[s\C] = (N - k - 1)1/ (N - 1)! = Pt[s\0 2 ], 

where Pr[s\A] is the probability that the oracle A responds with yo to 
(xo, io), then with y\ to (xi, ii), . . . , and finally with yu-i to (xk-i,ik-i)- 

Proof. The definition of C-consistency ensures that the sequence s de- 
fines a partial cyclus graph. The requirement that s is nonrepeating 
implies by Lemma 1.3 that each answer to a query reduces the number 
of components in the induced partial cyclus graph by exactly 1. Thus, 
after k queries the induced graph has exactly N — k components. By 
Lemma 1.2, there exist (N — k — 1)! cyclus graphs extending the given 
partial cyclus graph, and therefore the probability of getting s in C is 
(N- k- 1)\/(N- 1)!. 

Now consider 2 - Again, Lemma 1.3 implies that |comp(G,')| = 
N — j for all j. Given Gj, the probability for a specific consistent 
answer yj in the next query to O2 is 1/(N — j — 1) (uniform choice of 
one out of the remaining N — j — 1 components). Thus, 

^ r ,^ i 1 1 1 (N — k — 1)\ 
Pr s \0 1 = = - — 

[ 1 21 N-l N — 2 "' N — k " (7V-1)! ' 

□ 

We say that two oracles are equivalent if there is no way to distinguish 
between them by making queries to the oracles and analyzing their 
responses. 

Corollary 1.6. The oracles C and 2 are equivalent. 

Definition 1.7. Define the following oracles. 

O3: Initially sets a flag Bad to 0, and begins with the empty graph 
Go on V = {0, . . . , N — 1}. This oracle accepts queries of the 
form (x,i) G V x {1, —1}, and constructs a partial permutation 
graph on V as follows. In the kth query (xk,ik), the oracle 
responds as follows: 
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(1) If the query was made earlier and answered with y, or a 
query of the form (y, —i k ) was made earlier and answered 
with Xk, then the oracle responds with y k = y. 

(2) Otherwise, the oracle responds as follows: 

(a) If i — 1 then it chooses a random C G comp(Gfc), 
sets y k = minC, adds the edge Xk — > y& to Gk to 
obtain a new graph Gk+i, and responds with y k . 

(b) If i = —1 (this is the dual case) then it chooses a 
random C G comp(Gfc), sets yk = maxC, adds the 
edge yk — > a^fc to Gk to obtain a new graph Gk+i, and 
responds with y k . 

If C is the component of Xk, this oracle sets Bad = 1. 
"P: Chooses a random permutation P G Sat, accepts queries of 
the form (x, i) G {0, . . . , TV — 1} x {1, —1} and responds with 
y = P z (x) for each such query 

A sequence ((x ,i ), y , . . . (xk,ik), Uk) is V -consistent if the equa- 
tions P l i(xj) = yj have a solution P G S N . The proof of the following 
is similar to the proof of Lemma 1.5 (in fact, it is simpler) and we omit 
it. 

Lemma 1.8. For each nonrepeating V- consistent sequence s which cor- 
responds to k queries and replies, 

Pr[s|C 3 ] = (N - k)\/N\ = Pr[s\V]. 

Corollary 1.9. Oracles 0% and V are equivalent. 

For our purposes it seems convenient to use the following notion 
of a distinguisher. An (information theoretic) distinguisher D is a 
probabilistic algorithm 3 with an unlimited computational power and 
storage space, which accepts an oracle as input (where there are two 
possible oracles), makes m queries (where m is some fixed number) to 
that oracle (the distribution of each query depends only on the sequence 
of earlier queries and oracle responses), and outputs either or 1 (again, 
the distribution of the answer depends only on the sequence of queries 
and oracle responses). 

The intended meaning is that the distinguisher's output is its guess 
as to which of the two possible oracles made the responses. (Thus 
given two oracles A and £>, D(A) and D{B) are random variables tak- 
ing values in {0, 1}.) The natural measure for the effectiveness of the 

3 A probabilistic algorithm is an algorithm enhanced by an access to a random 
number generator, that is, at each stage the algorithm chooses which moves to make 
next according to some well-defined distribution. Mathematically, a probabilistic 
algorithm is a random variable, whereas a usual algorithm is a function. 
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distinguisher in distinguishing between two oracles A and B is its ad- 
vantage, defined by 

|Pr[£>(^) = 1] -Pt[D(B) = 

The motivation for this measure is as follows. Assume without loss of 
generality that Pr[D(A) = 1] > Pr[D(B) = 1]. Then by the likelihood 
test we should decide x = A if the output of D(x) is 1 and x = B 
otherwise. The effectiveness of this decision procedure clearly increases 
as the difference between Pt[D(A) = 1] and Pr[D(B) = 1] increases, 
and this (or any other) procedure is useless when the probabilities are 
equal. Moreover, it can be proved that the number of times needed 
to sample D(x) in order to decide whether x = A or x = B with a 
significant level of certainty is 0(l/e 2 ), where e = | Pi[D(A) = 1] — 
Pv[D(B) = 1]|. 

Theorem 1.10. Assume that D is a distinguisher which makes m < N 
queries to C orV. Then 

\Pr[D(C) = l]-Pr[D(V) = l}\<^. 

Proof. By Corollaries 1.6 and 1.9, it suffices to show that \Pr[D(0 2 ) = 
l]-Pr[ J D(G 3 ) = l]|<f. 

Oracles O2 and 3 behave identically as long as Bad = in O3, that 
is, as long as the component of Xk was not chosen. As long as this is 
the case, the number of components in the graph reduces by at most 
1 with each new query answer (we do not assume that the queries are 
nonrepeating), and therefore the probability that the component of X}~ 
was not chosen for all k — 0, . . . , m — 1 is at least 

TV — 1 7V-2 N-m N - m _ m 

N ' N-l N-m + 1 N ~ N' 

Let p = Pt[D(0 2 ) = 1]. Then p = Pr[D(0 3 ) = l|Bad = 0], therefore 

Pi[D(0 3 ) = 1] = 
= Pt[D(0 3 ) = l|Bad = 0] -Pr[Bad = 0] + 
+ Pr[D(C 3 ) = l|Bad = 1] -Pr[Bad = 1] 
= p ■ Pr[Bad = 0] + Pr[D(0 3 ) = l|Bad = 1] • Pr[Bad = 1]. 
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Thus, 

\Pt[D(0 2 ) = 1]-Pt[D(0 3 ) = 1]\ = 
= \p(l - Pr[Bad = 0]) - Pr[D(0 3 ) = l|Bad = 1] ■ Pr[Bad = 1]| 
= |p-Pr[Bad = 1] - Pr[D( 3 ) = l|Bad = 1] ■ Pr[Bad = 1]| 
= \(p-Pr[D(0 3 ) = l|Bad = 1]) • Pr[Bad = 1]| < 

= |p-Pr[D(0 3 ) = l|Bad = l]|.^<^. 

□ 

Corollary 1.11. For all e > 0, the number of evaluations required to 
distinguish a random cyclus in Sn from a random permutation in Sn 
with advantage greater or equal to e is at least [eN\ . 

Our bound on the distinguisher's advantage cannot be improved. 
The following theorem shows not only that there exists an optimal 
strategy (with advantage m/N) for the distinguisher, but that in some 
sense all strategies are optimal, including for example those which do 
not use queries of the form (x, — 1). By "all" we mean those which do 
not make queries where the responses are known in advance, that is, 
strategies for which the sequence of queries is nonrepeating. (As we 
remarked before, any strategy which makes repeating queries can be 
improved.) 

Theorem 1.12 (Optimal strategies). Consider the following m-step 
strategy (m < N) for a distinguisher D to distinguish between V and 
C: 

Queries: For each k = 0, . . . ,m—l, choose any pair (x k ,i k ) G Vx{l, — 1} 
such that the sequence ((x , io),yo, • • • , ( x k, ik)) ^ s nonrepeating, 
and make the query (xk,ik)- 

Output: // one of the oracle responses introduced a cycle, the distin- 
guisher outputs 1. Otherwise the distinguisher outputs 0. 

Then the advantage of this distinguisher is m/N . In other words, any 
strategy which generates only nonrepeating sequences is optimal. 

Proof. As the query sequence is nonrepeating, the probability that a 
cycle is not introduced given that the oracle is 3 is exactly 
TV — 1 7V-2 N-m N - m _ m 

N ' N -1 N-m + 1 N ~N' 

Thus Pr[D(V) = 0] = Pi[D(0 3 ) = 0] = 1 - m/N, and 

Pr[£>(C) = 0] - Pr[D(V) = 0] = 1 - (l - ^) = ™ 

□ 
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2. Cryptanalysis of the Naor-Reingold fast forward 

CYCLUS 

In this section we show that in the fast forward model (where the 
distinguisher is allowed to make queries of the form P m (x)) ) random 
cycluses can be distinguished from random permutations with advan- 
tage 1 — o(l), using a single query to the given oracle. 

For each N let d(N) denote the number of divisors of N. 

Theorem 2.1. A fast forward random cyclus can be distinguished from 
a fast forward random permutation with advantage 1 — d(N)/N, using 
a single query. 

Proof. We will use the following important fact. 

Lemma 2.2 (folklore). Fix an x e {0, . . . , N — 1}. Then the length of 
the cycle of x in a random permutation in Sn distributes uniformly in 
{1,...,N}. 

Proof. For each k — 1, . . . , N the probability that the cycle's length is 
k is 

iV - 1 JV-2 N — (k — 1) 1 1 

N ' N-l N-(k-2) ' N — (k — 1) ~ N' 

□ 

Assume that P is a random permutation in Sn- By Lemma 2.2, the 
length oq of the cycle of distributes uniformly in {1, ... , N}. As there 
are d(N) divisors of N, the probability that oq divides N is d(N)/N. 
Now, P N (0) = if, and only if, a divides N. Thus, the probability 
that P N (0) = is d{N)/N if P is random, but 1 if P is a cyclus. 
Therefore, the single query (0, N) is enough to distinguish a random 
cyclus from a random permutation with advantage 1 — d(N)/N. □ 

Example 2.3. If N = 2 n (this is the standard case), then d(N)/N = 
(n + l)/2™, which is negligible. 

d(N)/N converges to quite rapidly as N — > oo. However, for our 
purposes, the following easy observation is enough. 

Proposition 2.4. d(N)/N = o(l). 

Proof. Observe that for each N, if the factorization of N is p^ 1 ■ . . . -p e k k , 
then d(N) = (e 1 + 1) • . . . • (e k + 1), thus 

d(N) _ ei + 1 e k + 1 

For all N > 1, as the function f(x) = (x + 1)/N X is decreasing for 
x > 0, we have that for all k > 1, (k + 1)/N k < 2/N < 1. 
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Fix any e > 0. If N has a prime factor p > 2/e, then d(N)/N < 
2/p < e. Otherwise, all prime factors of N are smaller than c = 2/e. 
Assume that N = pi 1 ■ . . . ■ p e k k . Then k < c. Let = max{e 1; . . . , e^}. 
N < c ei+ '" +£k , so cci > e\ + • • • + efc > log c N, therefore > h(N) = 
log c iV/c, thus d(iV)/JV < (ei + l)/p^ < (h(N) + l)/p? (A ° which is 
smaller than e for large enough N. □ 

Remark 2.5. One may suggest the following ad-hoc solution to the 
problem raised by Theorem 2.1: Simply bound the possible value of 
m in queries of the form P m (x) to be < N/k for some fixed k. But 
then P N (x) can still be computed (using k queries instead of 1), so this 
solution is not good if we do not want to restrict the value of m too 
much. 

Remark 2.6. Theorem 2.1 can be extended as follows: Fix a cycle 
structure. Let a be the size of the largest cyclus in this structure, 
and assume that P G is a random permutation with the given cycle 
structure. The probability that an element x appears in a cyclus of size 
a is (at least) a /N. If k is Q(N/ao), then with large probability one of 
the elements 0, . . . , k — 1 appears in the cyclus and therefore P a °(i) = i 
for some i G {0, . . . , k — 1}. But if P is random, then it is conceiv- 
able that with a non-negligible probability (it is not straightforward to 
quantify the term "non- negligible" here), for alH G {0, . . . , k — 1} the 
cycle lengths do not divide ao and therefore P a °{i) ^ i. 

Of course, if ao < N/ao, then one may simply verify in a calls that 
the cycle of has size < a . Thus our method works in complexity 
O(min{a ,N/a }). 

Remark 2.7. Uzi Vishne has pointed out to me that one can distinguish 
a random permutation which is not a cyclus from a random cyclus in 
with advantage 1 at the price of increasing the number of queries to 
v(N) + 1 (where v(N) is the number of prime divisors of N): One 
simply verifies that for each prime factor p of N, P N / p (0) ^ 0, whereas 
P N (0) = 0. This happens if, and only if, P is a cyclus. (Similar 
observations apply to Remarks 2.5 and 2.6.) 

Observe that in probability 1/N, a random permutation is a cyclus 
and therefore one cannot hope to obtain advantage greater than 1 — 
1/N, so this improves the advantage from 1 — d(N)/N to 1 — 1/N at 
the price of v(N) additional queries. Clearly v(N) < log 2 N. In fact, 
by the Hardy- Ramanuj an Theorem, v{N) is asymptotically close to 
log log N "for almost all iV" (we will not give the precise formulation 
here). Observe that when N is a power of 2 we get here v{N) = 1, so 
two queries are enough to distinguish with advantage 1 — 1/N. 
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Part 2. Fast forward random permutations 

This part introduces an efficient method to sample the cycle structure 
of a random permutation, and its application to the construction of fast 
forward random permutations. 

3. Ordered cycle structures 

Definition 3.1. Assume that Q is a finite, well-ordered set, and P G 
Sq. Let C , . . . ,C fc _i be all (distinct) cycles of P, ordered such that 
min Ci < minC, for each i < j. Then the ordered cycle structure of P, 
OCS(P), is the sequence (|Co|, • • • , |Cfc-i|)- 

Example 3.2. If 

/0 1 2345 
^541310 

then the cycles of P are (05), (142), (3) in this order, as the minimum el- 
ements of the cycles are 0, 1, 3, respectively. Thus, OCS(P) = (2, 3, 1). 

Sampling the ordered cycle structure of a random permutation in 
P E Sq (by choosing a random P, finding the size of the cycle of 0, 
then the size of the cycle of the first element not in this cycle, etc.) 
requires 0(|fi|) steps, which is infeasible when Q is a large space. The 
following theorem allows us to sample this distribution efficiently. 

Theorem 3.3. Let Q be a finite set of size N. Consider the following 
two random processes: 
Process I: Choose a random permutation P G Sq, and give OCS(P) as 
output. 

Process II: (1) Set s_i = 0. 

(2) For i = 0, . . . do the following: 

(a) Choose a random number Sj G {1 + s,_i, . . . , iV}. 

(b) // Si = N, then exit the loop. 

(3) Output the sequence (s , Si ~ s , s 2 — s 1 . . . , Sj — Sj_i). 
Then these processes define the same distribution on the space of all 
possible ordered cycle structures of permutations P G Sq. 

Proof. We prove the theorem by induction on the size of Q. The theo- 
rem is evident when \Q\ = 1. 

For \Q\ > 1, assume that P is a random element of Sq, and let 
OCS(P) = (a , . . . ). By Lemma 2.2, ao distributes uniformly in {1, ... , iV}. 
Using the notation of Definition 3.1, let Co be the cycle of 0. As P dis- 
tributes uniformly over Sq, an easy counting argument shows that the 
restriction of P to the remaining elements, P |~ Q \ Co distributes uni- 
formly over Sq\c . By the induction hypothesis, the output (b , bi, . . . ) 
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of Process II for n = \Q\Co\ distributes exactly as the output of Pro- 
cess I on P \ VL \ C . Thus, the sequence (a , b , . . .) given by Process 
II distributes the same as the sequence given by Process I. □ 

Definition 3.4. For ease of reference, we will call Process II of Theo- 
rem 3.3 the Choose Cycle Lengths (CCL) process. 

Observe that the running time of the CCL process in the worse case is 
N, which is too large (usually, a quantity which is polynomial in log N 
is considered small, and Q(N € ) where e > is considered infeasible). 
We can however define an algorithm which is probabilistically close to 
the CCL process but runs in time O (log AT). 

Let Rn denote the random variable counting the number of cycles 
in a permutation in Sjy. It is well known [3] that the expectation and 
variance (and therefore the running time of the CCL process) are 
both log iV + 0(1). By Chebyshev's Inequality, 

Pr[R N > (c + 1) log N] = Pr[R N - log N > c log N] = 

= Pt[R n - log N > (c^log N) y/fogN] < 

1 _ 1 
~ ( Cv 4oiiV) 2 ~ c 2 log TV 

for all constant c > 0, which is 6(1/ log N). We say that a function 
f(N) is negligible if it is 0(1/N e ) for some positive e. The bound 
given by Chebyshev's Inequality is not negligible. Fortunately we can 
improve it significantly in our case. To this end, we need to have a tight 
upper bound on the distributions of the random variables Sj defined by 
the CCL process. 

Proposition 3.5. Fix I e {0, . . . , TV - 1}. Then 

Pr[*i =k]< J 

if k G {I + 1, ... , N} and is otherwise. 

Proof. Recall that for an increasing function / : [0, k] — ■> R, YliZo /(*) < 
J fc f(x)dx. 

We prove the proposition by induction on I. For I = we have that 
Pr[s — k] — 1/N as required. Assume that our assertion is true for I, 
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and prove it for / + 1 as follows. 
Pr[s l+l = k] = 



k-l fc-1 | 

Pr[si = i] ■ Pr[a m = k - i\s t = i] = Y] Pr[s t = i] • — : < 

z — / z — / IN — i 



i=l+l i=l+l 

f" (-log(l-f))' 1 

< X w 

Substituting t = — log(l — x/N), we have that the last integral is equal 
to 

□ 



/!iV 7 (Z + l)!iV 



Theorem 3.6. Fzx / e {0, . . . , N - 1}. Then for all m, 



Pi[si < m] < 



m |log(l-f)| 



N l\ 
Proof. By Proposition 3.5, 

Pr[si < m] < 



m 



|log(l-f 
l\N 



□ 



Corollary 3.7. Assume that c > e. The probability that the running 
time of the CCL process is larger than clogiV is O (v / l°g N /./V c ( logc_1 )) 
and is therefore negligible. In particular, if c > e 2 then this probability 
iso{l/N c ). 

Proof. Use Theorem 3.6 with m = N — 1 and I = clogiV. Then 
l—m/N — l/N. Using Stirling's Formula, 

logif log' iV 



l\ /~2n ( I 



(1) Prfs; < ml < 

, (9' 

Now, as I = c log iV, 



/ / c' iV cl °s c 



FAST FORWARD PERMUTATIONS 15 

therefore the right hand side of Equation 1 is equal to 

/ clog N 1 

V 2n j\rc(iogc-i) • 

This implies the assertions in the theorem. □ 
We can therefore define the following variant of the CCL process: 

Definition 3.8 (/-truncated CCL). Fix a positive integer I and run the 
CCL process / — 1 steps. If the process terminated after k < I steps, 
then output the sequence (sq, . . . , Sfe-i). Otherwise set s;_i = N and 
output (s , . . . , Si-i). 

Corollary 3.9. Fix I > 3.6 log N. Then the output of the l-truncated 
CCL cannot be distinguished from the output of the CCL process with 
advantage greater than o(l/N). 

Proof. This follows from Theorem 3.7, once we observe (numerically) 
that the solution to the equation c(logc — 1) = 1 is c = 3.5911 + . □ 



4. Fast forward permutations 

Definition 4.1. Assume that (a®, ai, . . . , aj_i) is a sequence of posi- 
tive integers such that X)fc=o a fc = ^, and write s_i = 0, Sj = Yl\=o a k 
for each i = 0,...,/ — 1. The fast forward permutation coded by 
(a , ai, . . . , ai-i) is the permutation n G Sjy such that for each x G 
{0,...,N-1}, 

ir(x) = Si + (x — Si + 1 mod Oj+i) where Sj < x < s i+ i. 

Example 4.2. The fast forward permutation n G S 7 coded by (1, 2, 4) 
is 

7T = (0)(12)(3456) = (12)(3456). 

Here so — 1, si — 3, and s 2 = 7. Thus, e.g., as s± < 4 < s 2 , we have 
that 

vr 5 (4) = si + (4 - si + 5 mod a 2 ) = 3 + (6 mod 4) = 5, 

as can be verified directly. 

A fast forward permutation coded by a sequence (do, • • • , Q>i-i) is 
indeed fast forward, if we can either preprocess the corresponding se- 
quence (s , • • • , sj_i) (this is done in time 0(1)) or have access to an 
oracle which can tell Sj for each % in time 0(1). 
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Proposition 4.3. Assume that it is the fast forward permutation coded 
by (a , . . . , cfy_i). Assume further that we have an 0(1) time access 
to the corresponding values Sj, % G {0, . . . , / — 1}. Then for all x G 
{0, . . . , N — 1} and all m, the complexity of the computation of n m (x) 
is O(logZ) (and in particular 0(}ogN)). 

Proof. As the values Sj are increasing with i, we can use binary search 
to find the % such that S; t <x< s i+1 (this requires O(logZ) accesses to 
the values s*). Then 

7r m (x) = Si + (x — Si + m mod (s,+i — s,)). 

□ 

The proof of Proposition 4.3 is written such that we can see that the 
sequence (a , . . . , a/-i) plays no role in the evaluations of n: m (x). This 
means that all needed information is given in the sequence (so, . . . , s/-i). 
We chose the sequence (ao, • • • , ai-i) rather than (s , • • • , sj_i) as a 
"code" for the permutation only because this way it seems more clear 
how the permutation n is computed. 

Consider the following oracles. 

Pff : Chooses a random permutation P G Sn, accepts queries of the 
form (x, m) G {0, . . . , AT — 1} x Z, and responds with y = P m (x) 
for each such query. 
JF: Runs the /-truncated CCL process with / = 41ogiV to obtain 
a sequence (a , . . . , aj-i). (Let n denote the fast forward per- 
mutation coded by (a , . . . , This oracle accepts queries 
of the form (x,m) G {0, . . . , AT — 1} x Z, and uses the ora- 
cle V (which fixes a random permutation P) to respond with 
y = P(n m (P~ 1 (x))) for each such query. 

Theorem 4.4. (1) The space used by the oracle T is 0(\ogN) 
words of size 0(logN) each. 

(2) The preprocess of T requires O(logA^) steps. 

(3) For each query (x,m), the running time of T is O(loglogA^) 
plus twice the running time ofV. 

(4) Assume that D is a distinguisher which makes any number of 
calls to the oracles P FF or T . Then the advantage of D is 
o(l/ N). 

Proof. (1) is evident. (2) follows from Proposition 4.3, and (3) follows 
from Corollary 3.9. □ 

This completes our solution to the Naor-Reingold Problem in the 
(purely) random case. 
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Part 3. Pseudorandomness 

Intuitively speaking, pseudorandom objects are ones which are easy 
to sample but difficult to distinguish from (truly) random objects. The 
assumption that we made on the oracle V — namely, that it chooses a 
random permutation in Sn — is not realistic when N is large. A more 
realistic assumption is that the oracle chooses a pseudorandom element 
of Sn- More concretely, the oracle V accepts a key k as input, and uses 
it to define a permutation P k in the sense that each time the oracle is 
asked to compute Pk(x) (or P A T 1 (a;)), the oracle computes it without 
the need to explicitly build the complete permutation Pk- (V can be 
thought of as a key dependent block cipher.) The reader is referred 
to [1] for the formal definitions. Naor and Reingold [1] actually stated 
their problem in the pseudorandom case. We will translate our main 
results into the pseudorandom case. 

5. Translation of results from Part 1 

Let C be a pseudorandom cyclus oracle. This means that for any dis- 
tinguisher D which makes a small number m of queries, the advantage 
a = | Pt[D(C) = 1] - Pt[D(C) = 1]| is small. 

Theorem 5.1. For any distinguisher D which makes m < N queries 
to C or V, 

\PT[D(C') = l]-Pr[D(V) = l]\<a + ^, 

where a = | Pr[D(C) = 1] - Pt[D(C) = 1]|. 

Proof. By the Triangle Inequality and Theorem 1.10, 

| Pr[D(C) = 1] - Pr[D(V) = 1]| < 

< | Pr[D(C) = 1] - Pr[D(C) = 1]| + | Pr[D(C) = 1] - Pr[D(V) = 1]| < 

m 

< a-\ . 

n 

□ 

Theorem 5.2. Consider the m-step strategy (m < N) for a distin- 
guisher D which was defined in Theorem 1.12 (an arbitrary strategy 
which generates nonrepeating sequences.) Then 

m 

\Pr[D(C') = l]-Pr[D(V) = l]\ = -. 

Consequently, for all e > there exists a strategy D to distinguish C 
from V with advantage max{a — e,m/N}, where a is the supremum 
of all possible advantages of an m-step distinguisher to distinguish C 
from C. 



18 



BOAZ TSABAN 



Proof. The proof of Theorem 1.12 only uses the fact that V chooses a 
random permutation and C chooses a cyclus. The fact that the cyclus 
C is random is not used. This implies the first claim in our theorem. 

To prove the second part of the theorem, fix any e>0. If a — e < 
m/N, we choose the strategy D and we are done. Otherwise m/N < 
a — e. As a — e < a, there exists an m-step strategy D' to distinguish 
C from C with advantage at least a — e, so we can choose the strategy 
D'. □ 

We now translate the main result in the fast forward model to the 
pseudorandom case. 

Theorem 5.3. C can be distinguished from V with advantage 1 — 
d(N)/N, using a single query. 

Proof. Again, the only property of C we used in the proof of Theorem 
2.1 is its choosing a cyclus, which is also true for C . □ 

6. Translation of results from Part 2 

In order to shift to the pseudorandom case in our construction of a 
fast forward permutation, we need to have some pseudorandom number 
generator to generate the random choices of the Sj's in the CCL process. 
If we have no such generator available, we can use the oracle V itself: 
In addition to the key k used to generate P k , we need another key k. 
The pseudorandom numbers Sj in the CCL process can then be derived 
from the values -P^(O), P%(1), ^(2), • • • (This is the standard counter 
mode [2]). We now give an example how this can be done. 

Consider the following oracles. 

RND: Accepts positive integers x,k < N and returns a sequence 
(r , . . . , rfc_i) of random numbers in the range {0, . . . , x — 1}. 

RNDi: Accepts positive integers x,k < N, calls RND with iV and 2k to 
get a sequence (xo, . . . , X2k-i), and returns (r , . . . , Tk-i) where 
Ti = (x2i + N ■ X21+1) mod x for alH = 0, . . . , k — 1. 

RND 2 : Accepts positive integers x, k, p < N, calls V Ik times to obtain 
the sequence (x = P(po), ■ ■ ■ , x 2 k-i = P(po + 2A; — 1 mod N)), 
and returns (r , . . . , r k _i) where r\ = (x 2 i + N ■ x 2 i+i) mod x for 
all i — 0, . . . , k — 1. 

Theorem 6.1. Fix positive integers x,k < N . Then: 

(1) If k = clogN, then RND and RND X called with x and k cannot 
be distinguished with advantage greater than c\ogN/N. 

(2) RNDi and RND 2 called with x and k cannot be distinguished 
with advantage greater than 2k 2 /N. 
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Proof. (1) Assume that a and b are random numbers in the range 
{0, . . . , N-l}. Then c = a+bN is random in the range {0, . . . , N 2 -l}. 
Let x e {0, . . . , N — 1}. With probability at least 1/N,c< [N 2 /x\ ■ x 
and therefore c mod x is random in the range {0, ...,x — 1}. The 
probability that this happens clogiV times is therefore at least (1 — 

1 / N ylogN w e -c\o g N/N > 1 _ c log N/N. 

(2) This follows from the well known result that a random permuta- 
tion is a pseudorandom function. Briefly (see [4] for more details), con- 
sider any sequence of 2k random numbers in the range {0, . . . ,N —1}. 
The probability that all these numbers are distinct is greater than 
1 — (2k) 2 /2N = 1 — 2k 2 /N, and in this case this sequence forms a 
random partial permutation. □ 

Consider now the modification T' of the oracle T which calls V with 
two independent keys k and k, one for the evaluations Pk(n m (P^ 1 (x))) 
and the other for the values P^.(0),P^.(1), ... to be used by RND 2 in 
order to generate the sequence of pseudorandom numbers required by 
the /-truncated CCL process (the input argument p to RND 2 is used 
to avoid sampling the same entry of P~ k twice). 

Theorem 6.2. T' and J 7 cannot be distinguished with advantage greater 
than 0{\og 2 N/N). 

Proof. This follows from the Triangle Inequality and the earlier results 
4.4, 6.1(1), and 6.1(1) with k = 41ogiV. □ 

Here too, using a pseudorandom permutation oracle V' instead of a 
random one in the definition of T' cannot increase the advantage by 
more than a where a is the maximal advantage obtainable in distin- 
guishing V from V . 

7. Final remarks and open problems 

Another problem is mentioned in the original paper of Naor and 
Reingold [1] and remains open, namely, whether one can construct a 
family of fast forward pseudorandom functions with graph structure 
distribution similar to that of pseudorandom functions. 

The natural analogue of our construction for the case of pseudoran- 
dom permutations would not work for pseudorandom functions, simply 
because the "graph structure" of a pseudorandom function carries too 
much information. For example, there are O(N) points with no preim- 
age. This was not the case with permutations, where the structure is 
determined by the logarithmic number of its cycles and their length. 
Another approach will be needed in order to solve this problem. 
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Our study raises some other interesting open problems, the most 
interesting of which seems to be the following. Consider the /-truncated 
CCL process with / = logiV, which uses an oracle RND 3 similar to 
RND 2 as its random number generator with the difference that it makes 
only k calls to V to generate (x = P(po), ■ ■ ■ , x^-i = P(po + k — 1 mod 
N)), and uses r\ = Xi mod x instead of the original definition. (So we 
use logiV values of P instead of 81ogiV in the current construction.) 
The problem is to prove or disprove the following. 

Conjecture 1. T' with the parameters just described cannot be distin- 
guished from Vff with a non-negligible advantage. 
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